Re: Buffer Overflow - fvwrite.c and fread.c sources

[nikunj badjatya <nikunjbadjatya%gmail.com@localhost>]

Thanks David,
Exactly what I needed. !!



Thanks
Niks




On Wed, Dec 22, 2010 at 9:39 PM, David Mentis <dmentis%cox.net@localhost> wrote:

> Nikunj,
> If you know what the struct for FILE is supposed to look like, you can
> offset the pointer and cast. I don't have the netbsd source, but on
> freebsd the first few lines look like:
>
> unsigned char *_p;
> int _r;
>
> In that case, I could offset my FILE pointer by sizeof(unsigned
> char*), and cast it to an int to get the value of _r -- assuming
> proper dereferencing along the way. For example,
>
> void *tmp = (void*)f; /* NOTE: this is also _p */
> tmp = tmp + sizeof(unsigned char*); /* tmp now points to _r */
> fprintf(stdout, "f->_r : %d\n", *((int*)(tmp)));
>
> Cheers,
> David
>
> On Wed, Dec 22, 2010 at 12:34 AM, nikunj badjatya
> <nikunjbadjatya%gmail.com@localhost> wrote:
> >
> > Hi,
> > @Matthias: Thanks for Replying. ! Pardon me for insufficient information
> in
> > the prev mail.!
> >
> > 1.
> > fread.c:
> >  79    (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
> >
> > fvwrite.c:
> > inside __sfvwrite function.
> > 166     COPY(w);   /* expansion at line 83, a memcpy call again. */
> >
> > 2.
> > I currently investigating on a "possibility" of buffer overflow at these
> > places. memcpy can write outside the bounds of allocated memory. !
> > * Which is why I need to examine from where fp->_p and fp->_r are getting
> > their values from.
> > * From where the memory allocation of _p, _r etc. taking place.
> > * The FILE structure is defined in file STDIO.H . It has all these
> members.
> >
> > 3.
> > What I mean with knowing the contents of file structure is,
> > If I write a sample code, which opens a sample text file ( FILE *fp ),
> > performs read/write operation, and finally prints various FILE structure
> > members. like fp->_p, _r etc. But when I compile the program it says fp
> has
> > no member named _p, _r . !
> >
> > 4.
> > I am using NetBSD 5.1.
> >
> > I hope I have made it clear enough.
> >
> > Thanks,
> > Nikunj
> >
> >
> >
> > On Wed, Dec 22, 2010 at 6:20 AM, Matthias Scheler 
> > <tron%zhadum.org.uk@localhost
> >wrote:
> >
> > > On Tue, Dec 21, 2010 at 03:38:31PM +0530, nikunj badjatya wrote:
> > > > I am just 3 months old to Linux and Cprogramming.
> > >
> > > This mailing list is about the NetBSD operating system, not about
> Linux.
> > >
> > > > Recently started investigating on Buffer overflow issues with
> fvwrite.c
> > > and
> > > > fread.c sources.
> > >
> > > Please explain why you think there is a buffer overflow issue.
> > > I've just reviewed the implemenetation of fread(3) in "fread.c" and
> > > it looks fine to me.
> > >
> > > > Present in lib/libc/stdio/* folder. Here's my investigation:-
> > > > {
> > > > There is a memcpy function.
> > > >
> > > > *1. at line 81 in fread.c -
> > > > (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
> > >
> > > Line 81 of "fread.c" looks like this:
> > >
> > >        /* fp->_r = 0 ... done in __srefill */
> > >
> > > > 2. and at line 168 in fvwrite.c. after expanding COPY macro*.
> > >
> > > What COPY macro? There is no COPY macro defined or used in "fread.c".
> > > Can you please explain which *NetBSD* sources you are looking at?
> > >
> > > > How do I know the contents of FILE structure.?
> > >
> > > It is private to the library and therefore off limits.
> > >
> > >        Kind regards
> > >
> > > --
> > > Matthias Scheler
> http://zhadum.org.uk/